NPE with X-Pack _has_privileges API

While exploring capabilities provided by X-Pack, I found the _has_privileges Privilege API that “allows you to determine whether the logged in user has a specified list of privileges.”. I expected that issuing a call to _has_privileges would return what the user was allowed to do. I made the request as documented here.

The resulting NullPointerException (NPE) demonstrates that there is an issue with handling the request. Without access to the source code (X-Pack is closed source) it was impossible to debug this further.

I opened a support case with Elastic and have informed Elastic representatives this bug existed. This bug has existed since late 2017. I found it in Elasticsearch 5.5.x and Elasticsearch 6.0 beta. Elasticsearch 5.6.x still has this bug. I informed Elastic that Elasticsearch 6.0 beta had this issue as well. Elasticsearch >=6.1.0 has finally fixed this issue but it was not backported to Elasticsearch 5.6.x or 6.0.x as of late Feburary 2018.

NPE Fixed in Elasticsearch X-Pack >=6.1.0

Fixed REST requests that required a body but did not validate it, resulting in null pointer exceptions.

X-Pack Code Available by EULA

With X-Pack code becoming available in Elastic Stack 6.3, it will be possible to now debug and help pinpoint NPE exceptions. There is no guarantee that Elastic will fix these issues but collaboration is easier. Although not explicitly open source by the OSI definition, it will be possible to see the code.